如何使SmartScreen筛选器信任自签名证书 [英] How can I make SmartScreen Filter trust a self-signed certificate

问题描述

Windows 8下的Microsoft SmartScreen筛选器是小型开发人员最糟糕的噩梦.

Microsoft's SmartScreen Filter under Windows 8 is a small developer's worst nightmare.

尽管我意识到了最终用户的利益以及阻止恶意程序在最终用户的计算机上安装自身的有效性，但我和许多其他开发人员宁愿不为代码续订证书的年度更新支付费用，甚至更不用说，EV代码签名证书.此外，当内部开发的产品使用内部CA的受信任证书签名并存储在Trusted Publishers商店中时，它们仍然会成为过滤器过度行为的牺牲品.

While I realize the benefits to end users and the effectiveness at stopping malicious programs from installing themselves on end users' computers, I and many other developers would rather not pay the fees for annual renewal of a Code Signing Certificate or, even worse, an EV Code Signing Certificate. Also, when products developed for use in-house are signed with a trusted certificate from an internal CA, stored in the Trusted Publishers store, they still fall prey to the filter's overzealous behavior.

开发人员和管理员过去能够通过在Trusted Publishers商店中安装发布者的代码签名证书来禁用警告和提示.当创意开发人员安装先决条件签名并带有付费的Authenticode代码签名证书的时间戳时，他们可以在此处安装其自签名代码签名证书.此后，将信任发布者签名的程序，并且不会触发SmartScreen筛选器警报.从本质上讲，发布商一旦获得信任，便无需支付经常性费用.

Developers and Administrators used to be able to disable the warnings and prompts by installing a publisher's Code Signing Certificate in the Trusted Publishers store. Creative developers could install their self-signed Code Signing Certificate there when they install a pre-requisite signed and timestamped with a paid-for Authenticode Code Signing Certificate. After that, programs signed by the publisher would be trusted and would not trip the SmartScreen Filter alarms. Essentially, once trusted, a publisher was free from the recurring fees.

最近对SmartScreen筛选器进行的更改(在Windows 8中将其包含为操作系统的功能")清楚表明，Microsoft希望您购买代码签名证书，而不是创造性地解决他们为您创建的问题.有没有人发现一种新方法来信任默认使用其自签名代码签名证书(即不显示提示)的发布者?除了完全关闭过滤器之外，最终用户还可以做些什么来让SmartScreen过滤器知道始终信任自签名证书?

The recent changes to the SmartScreen Filter (and its inclusion as an OS "feature" in Windows 8) make it clear Microsoft wants you to buy a code signing certificate instead of creatively working around the problem they've created for you. Has anyone discovered a new method to trust publishers who use their self-signed Code Signing Certificates by default (i.e., not showing the prompts)? Short of turning off the filter completely, what can end users do to let the SmartScreen Filter know to always trust a Self-Signed certificate?

请注意，购买代码签名证书不是此问题的答案.我正在寻找一种方法来告诉SmartScreen筛选器信任发布者，该发布者不从外部来源购买证书，而是发布自己的证书以供组织内部使用.

Please note that purchasing a Code Signing Certificate is not an answer to this question. I'm looking for a way to tell SmartScreen Filter to trust a publisher that does not purchase certificates from an outside source, but instead issues their own for use inside their organization.

更新:我想我可能已经找到解决方法！来自

UPDATE: I think I might have found a workaround! From MSDN, SmartScreen Filter can be disabled on Windows 8 and Internet Explorer 10 for sites listed as Trusted Sites. If someone could verify that this method works for setup programs downloaded and run from a Trusted Site in Windows 8, that would be greatly appreciated and would help a lot of ISV's and in-house development teams. It would also be the workaround needed to answer this question. Trusted Sites can be configured by group policy, so it would be simple from there.

以编程方式，通过为计算机设置HKLM \ Software \ Policies \ Microsoft \ Windows \ CurrentVersion \ Internet设置\ Zones \ 2！2301或HKCU \ Software \ Policies \，可以关闭受信任的站点区域"的SmartScreen筛选器. Microsoft \ Windows \ CurrentVersion \ Internet设置\ Zones \ 2！2301，将用户设置为0，然后将要信任的站点添加到受信任的站点区域"中即可，如

Programmatically, turning off SmartScreen Filter for the Trusted Sites Zone can be achieved by setting either HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2!2301 for the machine or HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2!2301 for the user to 0, and adding the site to be trusted to the Trusted Sites Zone can be done as shown in this question.

有人可以为从受信任的站点下载的未签名或自签名的可执行文件验证我建议的解决方法是否在Windows 8上起作用吗?我本人并没有使用Windows 8，而是将操作系统升级预算花在了证书费用上.

Could someone please verify that my proposed workaround functions on Windows 8 for an unsigned or self-signed executable downloaded from a Trusted Site? I'm not using Windows 8 myself, having spent my OS upgrade budget on certificate fees.

推荐答案

使用Microsoft的Windows 8的90天试用版，我已经能够验证我的解决方法确实有效.如果您只想一次支付一次代码签名证书而不是支付年费，则此方法同样适用于您，但是我不能做任何保证.我的解决方案是针对每台计算机，但是应该易于转换为按用户使用.

Using a 90 day trial of Windows 8 from Microsoft, I've been able to verify that my workaround does indeed work. If you want to pay for a code signing certificate once and only once instead of paying annual fees, this method should work for you as well, but I can't make any guarantees. My solution is per-machine, but should be easy to convert to work per-user.

这是我的解决方案:

1. 设置您自己的证书基础结构.
2. 以.cer文件的形式将根CA证书的副本，根由其颁发的任何中间CA证书以及由中间CA颁发的任何代码签名证书发布到您的网站.
3. 在您的网站上安装由根CA颁发的SSL证书.
4. 创建执行以下任务的安装程序/下载器应用程序:
   • 将根CA证书(从您的网站，步骤2)安装到最终用户计算机的受信任的根证书颁发机构"存储中.
   • 通过将HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Internet设置\ Zones \ 2！2301设置为0，禁用受信任的站点" Internet区域的SmartScreen筛选器.
   • 通过添加注册表项HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ ZoneMap \ Domains \ yourdomain.com \ yoursubdomain，将您的网站添加到区域地图中.
   • 通过在上一步创建的密钥中创建一个名为https且值为2的DWORD，将您的域映射到受信任的站点"区域.

1. Set up your own certificate infrastructure.
2. Publish copies of your root CA certificate, any intermediate CA certificates issued by your root, and any code signing certificates issued by your intermediate CA's to your website as .cer files.
3. Install an SSL certificate on your website that was issued by your Root CA.
4. Create an installer/downloader application that performs the following tasks:
   • Installs the root CA certificate (from your website, step 2) into the Trusted Root Certification Authorities store for the end user's machine.
   • Disables SmartScreen Filter for the Trusted Sites internet zone by setting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2!2301 to 0.
   • Adds your website to the zone map by adding the registry key(s) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yourdomain.com\yoursubdomain.
   • Maps your domain to the Trusted Sites zone by creating a DWORD named https with a value of 2 in the key created in the previous step.

• 在购买之前，请确保CA用于代码签名证书的证书和时间戳方案不会导致OID为1.3.6.1.4.1.311.10.3.13或1.3.6.1.4.1.311.10.3.14，因为这些无论证书是否加盖时间戳，都会在证书过期时使签名过期.

到目前为止，我使用此方法收到的最严重的警告是此类型的文件可能会损害您的计算机."这就是典型的您正在下载可执行文件！"警告.使用VS2010中单击发布"生成的引导网页，它不会隐藏运行"选项，也不会出现在ClickOnce部署中.

The worst warning I’ve received using this method so far has been "This type of file could harm your computer." That's the typical "You're downloading an executable file!" warning. It doesn’t hide the Run option and does not appear for ClickOnce deployments using the bootstrap webpage generated by clicking "Publish" in VS2010.

感谢所有评论和链接.

这篇关于如何使SmartScreen筛选器信任自签名证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！